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Abstract. We show that the there exists an infinite family of APN functions of the 
form F(x) = x 2 " + 1 + x 2> " +s + 2k + cx 2 '° +s + 1 + c 2 x 2k + 2 " + § x 2k + 1 ^ over Y 22k , where k is an 
even integer and gcd(2fc, s) = 1, 3 j k. This is actually a proposed APN family of Lilya 
Budaghyan and Claude Carlet who show in [5] that the function is APN when there 
exists c such that the polynomial y 2 +1 + cy 2 +c 2 y + 1 = has no solutions in the field 
F 2 2k . In [6] they demonstrate by computer that such elements c can be found over many 
, fields, particularly when the degree of the field is not divisible by 3. We show that such 

c exists when k is even and 3 \ k (and demonstrate why the k odd case only re-describes 
' an existing family of APN functions). The form of these coefficients is given so that we 

. may write the infinite family of APN functions. 

— |- . APN functions; zeros of polynomials; irreducible polynomials. 

1. Introduction 
Let F2" be a finite field. The number of zeros of the polynomial 

P a (x) = x 2S+l + x + a, ae¥* 2 n (1) 

has been studied in [15^ [16] as it has applications in several different contexts. For exam- 
ple, constructing difference sets with Singer parameters ([SDH])) finding crosscorrelation 
between m-sequences I14j) and more recently in constructing error correcting codes 
' [3]. Also, a similar problem concerning the polynomial x pS+l + ax + b over ¥ p n has been 

C**"* ■ considered by Bluher in [I], where p is an odd prime. 

The following result, due to Helleseth and Kholosha ( |15| Theorem 1]) shows that, when 
gcd(s,n) = 1, the polynomial P a can only have none, one or three zeros. 
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Result 1. For any a € F^n and a positive integer I < n with gcd(/, n) = 1, the polynomial 
P a (x) = x 2 ' +1 + x + a has either none, one, or three zeros in ¥2^. Further, let Mi denotes 
the number of a such that P a {x) has i zeros, then 
(1) Ifn is odd, 



(2) Ifn is even, 

Mn = 2^1 M, =2 n ~\ 



3 

The condition that P a (x) has exactly one zero is also given in Theorem 1]. In 
Section II, when n is even, we study the following problem. 
For which a € Fgn, does P a (x) have no zeros. 

It is well known that P a (x) are related to other polynomials. More precisely, for a 
polynomial of the form G(x) = x 2S+1 + ax 2 * + fix + 7 over F2", by letting x = x + a, G(x) 
can be reduced to the form H(x) = x 2 +1 + ax + j3. Moreover, by a simple substitution 
x = sx with s 2,1 = a, H(x) can be transformed into the form P a (x) = x 2S+l + x + a. 
Through the above transformations and the polynomials obtained in Theorem [TJ we may 
get the ones with the forms G and H. These types of polynomials are of interest in other 
contexts. 
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Before getting into the application on APN functions, we would like to briefly introduce 
these functions. A function F : F 2 ™ — > F 2 » is called almost perfect nonlinear (APN) if the 
number of solutions in F 2 ™ of the equation 

F(x + a) + F(x) = b 

is at most 2, for all a, b € F 2 n,a ^ 0. We also say it has differential uniformity of 2. 
APN functions were introduced by Nyberg in [18] . who defined them as the mappings 
with highest resistance to differential cryptanalysis. In other words, APN functions are 
those for which the plaintext difference x — y yields the ciphertext difference f(x) — f(y) 
with probability l/2 n_1 . Since Nyberg's characterization, many new APN functions have 
been constructed, see [6j [21 [31 [7] and the references there. All the new infinite families 
(from 2005) have been quadratic (algebraic degree of 2) multinomials, as is the one in this 
article. When computing the differential uniformity of a quadratic function we may use 
the equation 

F(x) + F(x + a) + F(a) = 0. 

This is possible as the differential equation is linear. 

Another application of APN functions is in the construction of error correcting codes. 
Each new APN function yields a new and inequivalent error correcting code with the 
parameters of the double error correcting BCH code. In fact, APN functions are said to be 
inequivalent if the extended BCH-like codes constructed from them are inequivalent codes, 
see [2] for details. We refer to inequivalent APN functions as CCZ-inequivalent (named 
after Carlet, Charpin and Zinoviev) [8]. This is a more general form of equivalence than 
the previously used afiine and extended and affine equivalences. It is well known that 
CCZ equivalence preserves the differential and Walsh spectrum of the function. Some 
other equivalent descriptions of CCZ-equivalence and its invariants may be found in [12] . 

In [6] , the authors construct a family of quadratic APN functions provided the existence 
of certain polynomials. 

Result 2. Let n and s be any positive integers, n = 2k,gcd(s,k) = 1, and c,s€ F 2 n be 
such that s F 2 fe . // the equation 

G(x) = x 2S+1 + cx 2S + c 2k x + 1 = 

has no solution x such that x 2k+l = 1, and in particular if the polynomial G is irreducible 
over F 2 n , then the function 

T7 f \ 1 2 s 1 2 k 1 2 k+s \ 1 2 s i 2 k 2 k 1 2 k+s \ , 2 fe+s +2 fe 

ri(x) = x{x + cx + cx ) + x (c x + sx J + x 
is an APN function. 

It was verified in [6] that the aforementioned irreducible polynomial G exist over many 
fields F 2 2fe with 3 \ k by a computer. But, up to now, there is no construction of an 
infinitive family of such polynomials. In Section III, when n = 2k with k even and 3 \ k, 
we construct the polynomials with the form G(x) without zeros (Theorem [2|) by applying 
the techniques used in Section II. 

We will conclude this section by giving some remarks on the APN function F\ in Result 
El Define the function F : F 2 « -4- F 2 » by 

„/ \ 2 S +1 1 2 fe+s +2 fe 1 2 fc+s +l 1 2 k 2 k +2 a , r 2 fe +l 

F[X) = X T + X T + CX T + C X + OX T , 

where n = 2k, 5 F 2 /t. One may check that, if n = 2k with k odd, F is CCZ-equivalent to 
the multinomial APN function in [21 Theorem 1] by substituting x with x + 7X . Also, if 
k is even, F is CCZ-equivalent to Fi in Result [2]by substituting x with x + jx 2k+2S , where 
7 is not a (2 k — l)-th power. Therefore, to prove the existence of the APN function F\ in 
Result [21 it is sufficient to consider the case k is even and the existence of F. One reason 
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here to consider the function F instead of the hexanomial one F\ is that F is equivalent 
to the No. 4 function in the list of quadratic APN functions over fields with dimension 8 
in Dillon's paper and the No. 4 function is also a 5-term polynomial. It should be 
mentioned that we know the family of APN functions we are constructing are inequivalent 
to other families, as computer evidence has verified that it is not equivalent to any power 
mapping when n = 8 [B] • Also for n = 8 we have checked by computer that F in not equiv- 
alent to x 3 + Tr(x 9 ). F has T-rank 13200 (see the definition in [12]), while x 3 + Tr(x 9 ) has 
T-rank 13800. Furthermore, it must be different from the other recently discovered non 
power mapping APN functions as its defined on fields with different degrees. In fact, it 
is a distinguishing factor of the family under consideration here that it can be defined on 
fields with degrees that are powers of 2. This property is seen as desirable by some (and 
necessary by others) in cryptographic applications. The only other APN functions with 
this property are the power mappings x 2S+1 and x 2 S_2S + 1 ) known as the Gold and Kasami 
functions as well as x 3 +Tr(x 9 ). These three functions are defined on fields with any degree. 



2. A Type of Quadratic Polynomials with no Zeros 

In this section, we will study for which a € FJJn, the polynomial P a (x) = x 2S+l + x + a 
has no zeros, where n = 2k and gcd(2/c, s) = 1. 

Theorem 1. Let P a (x) = x 2S+1 + x + a over¥ 2 2k, with (2k, s) = 1. Then P a has no zeros 
if there exists a non-cube b € F 2 2k such that 

b(b + lf +2 - a 
a = A(b) = -i 

(6 + &2-) 2 + 
Proof. We start with the following polynomial, 

b 2 ~ a + l\ ( b^^+bV 



K(x) =b\x + -t— + \x + 



b + b 2 ' 3 J \ b + b 2 ~ a J 

Note that b + b 2 is always not zero as b is neither 1 nor 0. We will demonstrate that 
K has no zeros by setting K(x) = 0, which gives 

\ + T^j =( I + TT^J ■ 

As one side of this expression is a cube, while the other is not, the only possible solutions 
are when its identically zero. This implies 

_ + 1 _ b 2-+l + b 

X ~ b + b 2 '' ~ b + b 2 ' 8 ' 



which in turn implies that 6=1, which it's not. 

Next, we expand K(x) = and gather terms to obtain, 



+ l)x 2a+1 



2 S +1 
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This becomes 

(6+1) ^ +1 + (t + 1)l+ Mt + r^J =0 . 

Now, we divide by 6 + 1 and with a few simplifications we obtain, 



Pa{x) = ^+1 + x + 6(6 + 1) 23+1 = 0. 



So P a (a;) = can not have solutions in F 2 2/= and hence P a {x) has no zeros when a has 
the required form. □ 

Particularly, when s = 1, we may show that -P a (aO has no zeros if and only if a is with 
the form in Theorem [TJ Furthermore we may claim the polynomial is irreducible as it has 
degree 3. 

Corollary 1. The polynomial P a (x) = x 3 + x + a is irreducible over ¥ 2 2k, for any integer 
k, if and only if a = d + d" 1 for some non-cube d. 

Proof. Substituting s = 1 in A(b), we have 

b ( ft 2- 1 + 1 )2-(2+2-i) 
63-2-1(52-1 + 1 )3 

6 + 1 

6 2"1 ■ 

By Theorem [H if a = A(b) = ^pr) then P a {x) has no zeros. For a simpler form we let 

b = d 2 and a has the form d + d~ l for a non cube d. Conversely, by Result [U there 
are 2 g" 1 elements a such that P a has no zeros. Therefore, we only need to prove that 
|Im(^4)| = 2 ~ 1 . Letting C denote the set of non cubes in F 2 2fc, it can be easily verified 

i 2 ( 2^ 1^ 

that A(x) = A{x~ ) for any x € C and |C| = g — ^, so it is sufficient to prove that ^4 
is 2-to-l. Assume there exist x,y £ C such that -A(x) = A(y), after simplification, we get 
xy(x + y) = x + y. Since x, y ^ 0, we have x = y or xy = 1. This shows that ^4 is 2-to-l 
and the proof is finished. □ 

Using a computer, for small values of n, we found the size of the image set of A is 
(2™ — l)/3. This implies that, in Theorem [T] P a has no zeros if and only if a € Im(^4). 
However, we cannot prove this and leave this as a conjecture. 

Conjecture 1. Let n = 2k with k is even and C be the set of non-cubes. Define a function 
A : C -> F 2 n by 

(6 + 6 2 ~ s ) 2+1 

TTie polynomial P a {x) = x 2S+1 + x + a has no zeros if and only if a € 7m(A). 
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Remark 1. We outline a possible method for solving this problem. It can be easily verified 

1 '2('2 ri 1*) 

that A(b) = A(b~ ) and since \C\ = - i — g — it will be sufficient to prove A is a 2-to-l 
mapping. 

By Theorem Q] and the relationship between the polynomials of the form G(x) = x 2S+1 + 
ax 2 " +/3x+7 and P a {x) = x 2 " +1 + x+a mentioned in Section I, we may obtain polynomials 
with no zeros of the form G. In the next section, we will use a variation of the method used 
in TheoremQ]to find the polynomial with no zeros and with the form x 2S+l + cx 2 " +c 2 x + 1 
over F 2 2fc with k is even, for some c € F 2 2fc. It is the existence of this polynomial that 
guarantees the existence of the infinite family of APN functions. We will show that for all 
relevant fields a coefficient c exists such that the polynomial has no zero's. 



3. A FAMILY OF 5-TERM APN FUNCTIONS 

Through the rest of the paper, we assume k is an even integer and 3 { k. In this section, 
we will show that the function 

„/ \ 2 S +1 i 2 k+s +2 k i 2 k+B +l i 2 k 2 k +2 s , r 2 k +l 

F(x) = x T + x T + cx T + c x T + ox T 

is an APN function over F 2 2* by choosing a particular type of c, 5 € F 2 2fc . The nature of 
the coefficients was difficult to find and we require the following lemma to show that they 
exist. 

Lemma 1. Let L = F 2 2fe and k,s be integers such that (s,2k) = 1 with k is even and 
3{ k. Then there exist /3, 7 € L* such that 

7 2S+1 + uf s+1 + 1 = 0, (2) 

where oj has order 3 in L and ^ 2k ~ l ^ (3 2k ^ 1 . 

Proof. Let L 3 denotes the set of cubes in L. First, note that all non-cubes in L can be 
written as cue, lo 2 c for some c € L 3 . We claim that there exist a, b, c E L 3 such that 

a + b = uc. (3) 

If this was not the case then the set of cubes would form an additive, as well as a multi- 
plicative, group and hence yield a subfield of L with an impermissible number of elements. 

Let D denotes the elements of F 2 2k which are not in F 2 t . Now we consider the possible 
cubes that satisfy ([3]) with respect to whether they are in the subfield F 2 t or in its com- 
plement D. If all solutions to ([3]) are such that a, b and c are always in D then the cubes 
in F 2 fe would form an additive group and yield another impossible subfield. On the other 
hand if all solutions are such that a, b and c are always contained in the subfield F 2 fe, then 
the set of cubes in D would form a group under addition with - — ^— elements. But this 
is not a power of 2 and is therefore impossible. We conclude from the above arguments 
that there exists a solution a, b, c to ([3]) with at least one element in F 2 fc and another in 
D. 

We divide Q by a to obtain, 

b c 
1 + - +uj- = 0. 
a a 

Letting a be primitive in L and assuming that b/a = ct,ujc/a = a T , we rewrite the above 
equation as, 

1 + a* + a r = 0. (4) 

All we can say about t and r is that 3 | t while 3 \ r and that at least one of a 1 and a r is 
not in F 2 fc . 
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From Equation we will give two constructions of the required equation 

7 2S+1 +u;/3 2S+1 + l = 0, 

and show that at least one of them has to allow the condition 7 2 * ; ~ 1 ^ (3 2k ^ 1 . 

Construction 1: We construct /3 and 7 as follows. Let a* = 7 2 +1 and a r = uifi 2 +1 . The 
existence of /3, 7 is guaranteed by the fact that (s, 2k) = 1 and then (2 s + 1, 2 2fc — 1) = 3, 
so all cubes can be represented as (2 s + l)-th powers. This gives the required equation 
©. Next we will assume that j 2k ~ l = /3 2k ~ 1 . 

Therefore, 

7 (2*+l)(2 fc -l) = /3 (2 s +l)(2 fc -l)_ 

We now write this equation in terms of the primitive element a and obtain, 

a *(2*-l) = ( U * a rf-l. 

As oj 3 = 1 and 2 k — 1 is divisible by 3, a rearrangement yields 

a (t-r)(2*-l) = 1 

Because a is primitive we know that (t — r)(2 k — 1) = mod 2 2fe — 1. This implies that 
t = r or ot~ r G F 2fe . The t = r case is easily dismissed as t and r are not equivalent 
mod3. The other case we save for later. 

Construction 2: We construct /3 and 7 differently from above. We start with Q. Next, 
we divide by a* to obtain, 

aT 1 + 1 + a 1 " 1 = 0. 

Now, we let a~ l = 7 2S+1 and a r ~ t = ojfi 2S+1 . Again, we get our required Equation ([2]). 
Now assume that 

which implies, 

7 (2 s +l)(2 fe -l) = /? (2 S +1)(2'=-1) > 

As before we write this in terms of a and get 
This yields 

a^ 2 "- 1 ) = 1. 

Note that the /3 and 7 are different in this construction but the a is the same a as in 
Consrtuction 1. 

In this case r = or a r € F 2 k . It is clear that r ^ 0. But if a r is in F 2 fe then this 
construction hasn't worked. Just like if a i_r is in F 2 k, then the first construction hasn't 
worked. But we only require one of them to work so when we assume a r £ F 2 fe and 
a* _r G F 2 fe together we get a r G F 2 fe and a* G F 2 /t which contradicts an earlier claim and 
the proof is complete. □ 



Next we will use the (3 and 7 in Lemma Q] and a modification of the techniques in 
Theorem Q] to prove the existence of the following family of APN functions. 



Theorem 2. Let s and k be integers, with k even, such that (s,2k) = 1 and 3 \ k. We 
choose 5 ^ F 2 fc, u to have order 3 and f3 and 7 such that j 2 +1 + tof3 2 +1 + 1 = with 
7 2 ~ 1 7^ (3 2 _1 . Then the function 

77T/ \ 2 a +l 1 2 k+s +2 k 1 / a 2 s +2 k , 2 s +2 k \ 2 k+s +l , i ,32 fe + s +l , 2 fe+s +lN 2 fc +2 a , r 2 fe +l 

is an APN function on ¥ 2 2k. 
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Proof. The existence of the coefficients is guaranteed from Lemma[TJ To prove the function 
is APN we need to show that the equation 

F(x) + F(x + a) + F(a) = 

has no more than 2 solutions for all nonzero a € F 2 2k. Placing F(x) into this equation 
and then replacing x with ax will give 

(5) 

+a 2fc+2S ( W /3 2fc+s+1 + 7 2fe+s + 1 )(x 2fc + x 2S ) + a 2fc+1 ,5(x + x 2 ") = 0. 

We raise this equation to the 2 fc -th power and obtain a second equation, 

a 2fc+s+2 + z 2 "') + a 2S+1 (z + x 2S ) + a 2fe+2S M 2fe+s+1 + 7 2fc+S+1 )(x 2fc + x 2 *) 

+a 2fc+s+1 M 2S+2fc + 7 2S+2fc )(x + x 2k+s ) + a 2fc+1 5 2fc (x + x 2 ") = 0. 

When we add these two expressions together, we simply get 

a 2k+1 (5 + 6 2k )(x + x 2k ) = 0. 
As a ^ and 5 £ ¥ 2 k this implies that x € F 2 fe . Then our original equation ([5]) becomes 

+ a 2*+'+2* + a 2 * +s + 1 (a;/3 2S + 2fc + 7 2S + 2fc ) +G 2 ^ 2 >/3 2fc+a+1 + 7 2fe+S+1 )) (z+x 2 *) = 

Clearly this will permit only 2 solutions in x provided we can establish that 

a 2*+l + a 2*+- +2 * + a 2*+'+l (a;/ g2' + 2* + ^+2*) + ^+2*^2^+1 + ^+1) ^ ^ 

for all non zero a. To this end we divide by a 2S+l and let y = a 2k ~ l , which gives the 
following, 

G(y) = y 2S+1 + M 2S+2fc + 7 2 *+ 2 V + (co(3 2k+a+1 + 7 2k+s+1 )y + 1 

which if it has no zeros, proves F(x) is APN. To show that G(y) has no zeros, we will 
set it equal to zero and use the techniques in Theorem [1] to produce a factoring which 
allows no solutions. The f3 and 7 were chosen very carefully to allow the usage of this 
technique. 

From w 2 /3~ 2S ~ 1 G(y) = 0, we obtain 

A simple rearrangement of 7 2S+1 + ujf3 2S+1 + 1 = will allow us to write the coefficient 
of y 2 " +1 as uj 2 (jj) 2 +1 + 1. The coefficient of y 2 " can be rewritten as 

u 2 ii) 7 +/5 \ 
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while the coefficient of y can be written as 

n -7 .2 +1 rfk + s os ^9 fc + s _OS 

7 2 2 +/3 2 2 . 

Now, using the fact that, 

7 2 fc (2*+l) +0J p2 k {2°+l) _ l 

we can alter the last term, w 2 /? -2 " -1 , as follows, 

oj 2 ?- 2 *- 1 = cu 2 r 2S - 1 (7 2fc(2S+1) + ^ 2fc(2S+1) ) 

= w 2(2) 23+1 7 (2 s +l)(2 fc -l) +/3 (2 s +l)(2 fc -l)^ 

Placing these alternate forms of the coefficients into cu 2 j3~ 2S ~ l G{y) = yields, 

(- 2 (^f +1 + i)y 2S+1 + (^rV" 1 + ^ V + (- 2 (^) 23+1 7 2fc+3 - 2S + P 2k+s ~ 2S )y 

+w 2(7^ 2S + 1 7 (2 s +l)(2 fe -l) +/3 (2=+l)(2 fe -l) = Q 

P 



This implies 



CJ 2 ( 2 ) 23+1 (y 2»+l + ^2*- y + ^(2*-!)^ + 7 (2*+l)(2*-l), 
= y 2«+l + p*-ly* + ^(2 k -l) y + /3 (2'+l)(2*- 1 )_ 



Next we factor each side to obtain, 

u 2 (j) (y + 7 2 *) =(y + /3 2 x ) • 

Clearly the right hand side of this expression is a cube while the left hand side is not. 
So the only possible solutions occur when y = 7 - 1 = f3 2 ~\ but as we have chosen 7 
and j3 such that 7 2 _1 7^ j3 2 , we can now say that G(y) has no zeros and the proof is 
complete. □ 

We cannot determine the Fourier (Walsh) spectrum of the APN function F in Theorem 
[2] and we leave this as an open problem. By a computer (with n = 8), the Fourier spectrum 
of F is the same as the Gold APN functions, i.e., the spectrum should takes the values 
{0,±2"/ 2 ,±2("+ 2 )/ 2 }. 

All other known APN functions have had their Fourier spectra computed, see [5] and 
references therein. This is done for two reasons. The first is a cryptographic application. 
Knowing a functions spectrum can allow us to compute its nonlinearity, which measures 
the functions resistance to Matsui's linear attack [TTJ. Secondly, the weight distribution 
of the codewords in the BCH-like code constructed from the function is also determined 
by the functions spectrum. All codes derived from an APN function will have a minimum 
distance of 5, but the weight distributions differ among some of the six power mapping 
APN functions. The infinite families of multi-term quadratic APN functions discovered 
since 2005 all have the same spectrum as the gold function and we expect the function in 
this article to be no different. 



Conjecture 2. The Fourier spectrum of the APN function F in Theorem^is {0, ±2 n / 2 , ±2( n+2 )/ 2 }. 
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4. Conclusions 

In this paper, we considered the polynomial P a (x) = x 2S+1 + x + a over ¥2^ with 

b(h+l ) 2 "+ 2 ~ s 

scd(n,s) = 1. It is shown that if a = — — ~sxr for some non-cube b, then P„(x) = 

& v j (b+b?- 8 ) + v ; 

has no solutions. Moreover, we conjecture that the converse of this result is also true. 

In particular, we show that x 3 + x + a is irreducible if and only if a = d + d , for 

some non cube d. By applying the techniques used here we obtain an infinite family of 

polynomials with no zero's of the form x 2S+l + ex 2 " + c 2 x + 1 over ¥ 2 2k with k even and 

gcd(2/c, s) = 1, 3 \ k. This guarantees the existence of the infinite family of quadratic APN 

functions proposed by Budaghyan and Car let in [6]. 
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